One, SELinux configuration file
It is very simple to deploy SELinux in CentOS 7 system. Since SELinux has been integrated into the kernel as a module, SELinux is already activated by default. For administrators, it is more necessary to configure and manage SELinux. The SELinux global configuration file in CentOS 7 system is /etc/sysconfig/selinux, and the content is as follows:
| [ root@centos7 ~]# vim /etc/sysconfig/selinux # This file controls the state of SELinux on the system. # SELINUX= can take one of these three values: # enforcing - SELinux security policy is enforced. # permissive - SELinux prints warnings instead of enforcing. # disabled - No SELinux policy is loaded. SELINUX=enforcing # SELINUXTYPE= can take one of these two values: # targeted - Targeted processes are protected, # mls - Multi Level Security protection. SELINUXTYPE=targeted |
|---|
SELinux=enforcing is the master switch of SELinux, and the valid value can be enforcing, permissive or disabled.
Among them, disabled means to disable the SELinux function. Since SELinux is a kernel module function, if the setting is disabled, the computer needs to be restarted. Permissive stands for warning only mode. In this state, when the subject program attempts to access an unauthorized resource, SELinux will record the log but will not intercept the access, that is, the final access is successful, but it is recorded in the SELinux log. The enforcing mode represents forced activation, SELinux will intercept illegal resource access and record related logs.
Use setenforce to temporarily switch between enforcing mode and permissive mode. The switch will be applied to the current system immediately, and it will be invalid after restarting the computer. Permanently modifying the mode requires modifying the configuration file.
| [ root@centos7 ~]# setenforce 0 #Set SELinux to permissive mode [root@centos7 ~]# setenforce 1 #Set SELinux to enforcing mode |
|---|
Two, SELinux security context
SELinux will add security information labels to processes and files, such as SELinux user, role, type, and optional level. All this information is the basis of access control when running SELinux. Below is an example file to view the SELinux security context. You can use the ls -Z command to see the context information of the file or directory, and ps aux -Z can view the security context information of the process:
| [ root@centos7 ~]# ls -Z anaconda-ks.cfg -rw-------. root root system_u:object_r:admin_home_t:s0 anaconda-ks.cfg [root@centos7 ~]# ps aux -Z |
|---|
The security context of SELinux includes
User: Role: Type: Level
Three, SELinux troubleshooting
Regardless of whether the SELinux policy permits or denies resource access requests, logs will be recorded, which is AVC (Access Vector Cache). All messages rejected by SELinux will be recorded in the log. Depending on the service processes installed and running in the system, the rejection log messages will be recorded in different files. Table 6-2 lists the relationship between the process and the log file.
Table 6-2
Log file process
/var/log/audit/audit.log auditd service is enabled
/var/log/messages The auditd service is turned off, and the rsyslogd service is turned on
/var/log/audit/audit.log, /var/log/messages install setroubleshoot related packages
autitd and rsyslogd are enabled at the same time
For most servers in the production environment, there are more Linux systems that do not have a graphical interface deployed and installed, and we need to manually view the log files. It is recommended that the administrator install the setroubleshoot-related software package, so that the originally jerky AVC rejection log can be converted into a setroubleshoot log with higher readability. You can use the following two methods to view the log:
| [ root@centos7 ~]# grep setroubleshoot /var/log/messages [root@centos7 ~]# grep denied /var/log/audit/audit.log |
|---|
Checking the messages log will prompt, run the sealert command according to the boldface prompt to see the humanized error message.
setroubleshoot: SELinux is preventing /usr/sbin/httpd from read access on the file index.html. For complete SELinux messages. run sealert -l 7082b8b4-70f4-42fb-92ea-08a51299d080
| [ root@centos7 ~]# sealert -l 7082b8b4-70f4-42fb-92ea-08a51299d080 |
|---|
Four, modify the security context
There are many ways to modify and manage the SELinux security context, such as: chcon, semanage, fcontext, and restorecon commands.
Description: Modify the SELinux security context of the file.
Usage: chcon [options] [-u SELinux user] [-r role] [-l scope] [-t type] file
chcon [options] --reference=reference file
Option: -u modify user attributes
r Modify role attributes
l Modify range attributes
t modify type attributes
Example:
(1) Modify the file security context.
| [ root@centos7 ~]# cp --preserve=all /etc/passwd /root/ #Copy files (retain context information) [root@centos7 ~]# ls -Z /root/passwd #View file SELinux security context [root@ centos7 ~]# chcon -t admin_home_t /root/passwd #Modify the type in the file security context [root@centos7 ~]# ls -Z /root/passwd |
|---|
(2) Modify the directory security context.
| [ root@centos7 ~]# chcon -R -t admin_home_t /root/ #Recursively modify the directory security context |
|---|
(3) Modify the security context of the target file according to the reference file.
| [ root@centos7 ~]# chcon --reference=/etc/passwd /root/passwd |
|---|
The security context modified by chcon is not the default security context of SELinux. When the file system resets the SELinux security label or uses the restorecon command to reset the security label of the specified directory, the security label of all files and directories will be restored to the system default If you need to modify the default preset security context of SELinux, you need to use the semanage command to add or modify it.
Five, semanage command
Description: SELinux policy management tool.
Usage: semanage fcontext [-S store] -{a|d|m|l|n|D} [-frst] file_spec
Options: -a, --add add preset security context
d, --delete delete the specified default security context
D, --deleteall delete all preset custom contexts
m, --modify modify the specified preset security context
l, --list show preset security context
n, --noheading do not display header information
Example:
(1) View the default preset security context information of the SELinux policy, the system will list all the directories and security context information defined in the policy.
| [ root@centos7 ~]#semanage fcontext -l |
|---|
(2) Modify the strategy and add a new preset security context information.
| [ root@centos7 ~]# semanage fcontext -a -t samba_share_t /test/test.txt [root@centos7 ~]# mkdir /test; touch /test/test.txt [root@centos7 ~]# ls -Z /test/test.txt |
|---|
(3) Use the restorecon command to restore the security context of the test.txt file to the default value.
| [ root@centos7 ~]# restorecon /test/test.txt [root@centos7 ~]# ls -Z /test/test.txt |
|---|
(4) Set the default security context of the directory recursively.
| [ root@centos7 ~]# semanage fcontext -a -t httpd_sys_content_t "/site/www(/.*)?" [root@centos7 ~]# mkdir -p /site/www/{web1,web2} [root@centos7 ~]# touch /site/www/{web1,web2}/index.html [root@centos7 ~]# ls -RZ /site/www [root@centos7 ~]# restorecon -R /site/ |
|---|
(5) Delete the preset security context.
| [ root@centos7 ~]# semanage fcontext -d /test/ test.txt |
|---|
(6) Check the preset SELinux security context.
| [ root@centos7 ~]# matchpathcon /site/www/ |
|---|
6.2.6 View and modify boolean values
SELinux boolean values can be modified in real time. For example, you can allow services to access the NFS file system without reloading or compiling SELinux policies. getsebool is a command used to view SELinux boolean values. The usage is relatively simple. The -a option is used to view all boolean values. Generally, it is recommended that administrators filter the Boolean value parameters they need through the pipeline, such as getsebool -a |grep ftp to filter the Boolean information related to FTP. In the display effect, the left side is the keyword, the right side is the switch, on represents on, and off represents The specific order is as follows.
| [ root@centos7 ~]# getsebool -a abrt_anon_write off abrt_handle_event off allow_console_login on allow_cvs_read_shadow off allow_daemons_dump_core on allow_daemons_use_tcp_wrapper off allow_daemons_use_tty on allow_domain_fd_use... |
|---|
Modifying the SELinux boolean status is also very simple, and can be achieved by using setsebool name X. Among them, name is a boolean name, and X represents on or off. The boolean parameter modified by the default setsebool command will take effect immediately, but it will be restored after the computer restarts. If you want to modify it permanently, you need to use the -p parameter.
| [ root@centos7 ~]# setsebool ftp_home_dir on [root@centos7 ~]# setsebool -p ftp_home_dir on |
|---|
( adsbygoogle = window.adsbygoogle || []).push({});
Recommended Posts